Package io.envoyproxy.envoy.config.filter.http.ext_authz.v2

Interface ExtAuthzOrBuilder

All Superinterfaces:
com.google.protobuf.MessageLiteOrBuilder, com.google.protobuf.MessageOrBuilder
All Known Implementing Classes:
ExtAuthz, ExtAuthz.Builder
public interface ExtAuthzOrBuilder extends com.google.protobuf.MessageOrBuilder

  • Method Details

    • hasGrpcService

      boolean hasGrpcService()
       gRPC service configuration (default timeout: 200ms).
      .envoy.api.v2.core.GrpcService grpc_service = 1;
      Returns:
      Whether the grpcService field is set.

    • getGrpcService

      GrpcService getGrpcService()
       gRPC service configuration (default timeout: 200ms).
      .envoy.api.v2.core.GrpcService grpc_service = 1;
      Returns:
      The grpcService.

    • getGrpcServiceOrBuilder

      GrpcServiceOrBuilder getGrpcServiceOrBuilder()
       gRPC service configuration (default timeout: 200ms).
      .envoy.api.v2.core.GrpcService grpc_service = 1;

    • hasHttpService

      boolean hasHttpService()
       HTTP service configuration (default timeout: 200ms).
      .envoy.config.filter.http.ext_authz.v2.HttpService http_service = 3;
      Returns:
      Whether the httpService field is set.

    • getHttpService

      HttpService getHttpService()
       HTTP service configuration (default timeout: 200ms).
      .envoy.config.filter.http.ext_authz.v2.HttpService http_service = 3;
      Returns:
      The httpService.

    • getHttpServiceOrBuilder

      HttpServiceOrBuilder getHttpServiceOrBuilder()
       HTTP service configuration (default timeout: 200ms).
      .envoy.config.filter.http.ext_authz.v2.HttpService http_service = 3;

    • getFailureModeAllow

      boolean getFailureModeAllow()
        Changes filter's behaviour on errors:

  1. When set to true, the filter will *accept* client request even if the communication with
  the authorization service has failed, or if the authorization service has returned a HTTP 5xx
  error.

  2. When set to false, ext-authz will *reject* client requests and return a *Forbidden*
  response if the communication with the authorization service has failed, or if the
  authorization service has returned a HTTP 5xx error.

 Note that errors can be *always* tracked in the :ref:`stats
 <config_http_filters_ext_authz_stats>`.
      bool failure_mode_allow = 2;
      Returns:
      The failureModeAllow.

    • getUseAlpha

      @Deprecated boolean getUseAlpha()
      Deprecated.
      envoy.config.filter.http.ext_authz.v2.ExtAuthz.use_alpha is deprecated. See envoy/config/filter/http/ext_authz/v2/ext_authz.proto;l=53
       [#not-implemented-hide: Support for this field has been removed.]
      bool use_alpha = 4 [deprecated = true, (.envoy.annotations.disallowed_by_default) = true];
      Returns:
      The useAlpha.

    • hasWithRequestBody

      boolean hasWithRequestBody()
       Enables filter to buffer the client request body and send it within the authorization request.
 A ``x-envoy-auth-partial-body: false|true`` metadata header will be added to the authorization
 request message indicating if the body data is partial.
      .envoy.config.filter.http.ext_authz.v2.BufferSettings with_request_body = 5;
      Returns:
      Whether the withRequestBody field is set.

    • getWithRequestBody

      BufferSettings getWithRequestBody()
       Enables filter to buffer the client request body and send it within the authorization request.
 A ``x-envoy-auth-partial-body: false|true`` metadata header will be added to the authorization
 request message indicating if the body data is partial.
      .envoy.config.filter.http.ext_authz.v2.BufferSettings with_request_body = 5;
      Returns:
      The withRequestBody.

    • getWithRequestBodyOrBuilder

      BufferSettingsOrBuilder getWithRequestBodyOrBuilder()
       Enables filter to buffer the client request body and send it within the authorization request.
 A ``x-envoy-auth-partial-body: false|true`` metadata header will be added to the authorization
 request message indicating if the body data is partial.
      .envoy.config.filter.http.ext_authz.v2.BufferSettings with_request_body = 5;

    • getClearRouteCache

      boolean getClearRouteCache()
       Clears route cache in order to allow the external authorization service to correctly affect
 routing decisions. Filter clears all cached routes when:

 1. The field is set to *true*.

 2. The status returned from the authorization service is a HTTP 200 or gRPC 0.

 3. At least one *authorization response header* is added to the client request, or is used for
 altering another client request header.
      bool clear_route_cache = 6;
      Returns:
      The clearRouteCache.

    • hasStatusOnError

      boolean hasStatusOnError()
       Sets the HTTP status that is returned to the client when there is a network error between the
 filter and the authorization server. The default status is HTTP 403 Forbidden.
      .envoy.type.HttpStatus status_on_error = 7;
      Returns:
      Whether the statusOnError field is set.

    • getStatusOnError

      HttpStatus getStatusOnError()
       Sets the HTTP status that is returned to the client when there is a network error between the
 filter and the authorization server. The default status is HTTP 403 Forbidden.
      .envoy.type.HttpStatus status_on_error = 7;
      Returns:
      The statusOnError.

    • getStatusOnErrorOrBuilder

      HttpStatusOrBuilder getStatusOnErrorOrBuilder()
       Sets the HTTP status that is returned to the client when there is a network error between the
 filter and the authorization server. The default status is HTTP 403 Forbidden.
      .envoy.type.HttpStatus status_on_error = 7;

    • getMetadataContextNamespacesList

      List<String> getMetadataContextNamespacesList()
       Specifies a list of metadata namespaces whose values, if present, will be passed to the
 ext_authz service as an opaque *protobuf::Struct*.

 For example, if the *jwt_authn* filter is used and :ref:`payload_in_metadata
 <envoy_api_field_config.filter.http.jwt_authn.v2alpha.JwtProvider.payload_in_metadata>` is set,
 then the following will pass the jwt payload to the authorization server.

 .. code-block:: yaml

    metadata_context_namespaces:
    - envoy.filters.http.jwt_authn
      repeated string metadata_context_namespaces = 8;
      Returns:
      A list containing the metadataContextNamespaces.

    • getMetadataContextNamespacesCount

      int getMetadataContextNamespacesCount()
       Specifies a list of metadata namespaces whose values, if present, will be passed to the
 ext_authz service as an opaque *protobuf::Struct*.

 For example, if the *jwt_authn* filter is used and :ref:`payload_in_metadata
 <envoy_api_field_config.filter.http.jwt_authn.v2alpha.JwtProvider.payload_in_metadata>` is set,
 then the following will pass the jwt payload to the authorization server.

 .. code-block:: yaml

    metadata_context_namespaces:
    - envoy.filters.http.jwt_authn
      repeated string metadata_context_namespaces = 8;
      Returns:
      The count of metadataContextNamespaces.

    • getMetadataContextNamespaces

      String getMetadataContextNamespaces(int index)
       Specifies a list of metadata namespaces whose values, if present, will be passed to the
 ext_authz service as an opaque *protobuf::Struct*.

 For example, if the *jwt_authn* filter is used and :ref:`payload_in_metadata
 <envoy_api_field_config.filter.http.jwt_authn.v2alpha.JwtProvider.payload_in_metadata>` is set,
 then the following will pass the jwt payload to the authorization server.

 .. code-block:: yaml

    metadata_context_namespaces:
    - envoy.filters.http.jwt_authn
      repeated string metadata_context_namespaces = 8;
      Parameters:
      index - The index of the element to return.
      Returns:
      The metadataContextNamespaces at the given index.

    • getMetadataContextNamespacesBytes

      com.google.protobuf.ByteString getMetadataContextNamespacesBytes(int index)
       Specifies a list of metadata namespaces whose values, if present, will be passed to the
 ext_authz service as an opaque *protobuf::Struct*.

 For example, if the *jwt_authn* filter is used and :ref:`payload_in_metadata
 <envoy_api_field_config.filter.http.jwt_authn.v2alpha.JwtProvider.payload_in_metadata>` is set,
 then the following will pass the jwt payload to the authorization server.

 .. code-block:: yaml

    metadata_context_namespaces:
    - envoy.filters.http.jwt_authn
      repeated string metadata_context_namespaces = 8;
      Parameters:
      index - The index of the value to return.
      Returns:
      The bytes of the metadataContextNamespaces at the given index.

    • hasFilterEnabled

      boolean hasFilterEnabled()
       Specifies if the filter is enabled.

 If :ref:`runtime_key <envoy_api_field_core.RuntimeFractionalPercent.runtime_key>` is specified,
 Envoy will lookup the runtime key to get the percentage of requests to filter.

 If this field is not specified, the filter will be enabled for all requests.
      .envoy.api.v2.core.RuntimeFractionalPercent filter_enabled = 9;
      Returns:
      Whether the filterEnabled field is set.

    • getFilterEnabled

      RuntimeFractionalPercent getFilterEnabled()
       Specifies if the filter is enabled.

 If :ref:`runtime_key <envoy_api_field_core.RuntimeFractionalPercent.runtime_key>` is specified,
 Envoy will lookup the runtime key to get the percentage of requests to filter.

 If this field is not specified, the filter will be enabled for all requests.
      .envoy.api.v2.core.RuntimeFractionalPercent filter_enabled = 9;
      Returns:
      The filterEnabled.

    • getFilterEnabledOrBuilder

      RuntimeFractionalPercentOrBuilder getFilterEnabledOrBuilder()
       Specifies if the filter is enabled.

 If :ref:`runtime_key <envoy_api_field_core.RuntimeFractionalPercent.runtime_key>` is specified,
 Envoy will lookup the runtime key to get the percentage of requests to filter.

 If this field is not specified, the filter will be enabled for all requests.
      .envoy.api.v2.core.RuntimeFractionalPercent filter_enabled = 9;

    • hasDenyAtDisable

      boolean hasDenyAtDisable()
       Specifies whether to deny the requests, when the filter is disabled.
 If :ref:`runtime_key <envoy_api_field_core.RuntimeFeatureFlag.runtime_key>` is specified,
 Envoy will lookup the runtime key to determine whether to deny request for
 filter protected path at filter disabling. If filter is disabled in
 typed_per_filter_config for the path, requests will not be denied.

 If this field is not specified, all requests will be allowed when disabled.
      .envoy.api.v2.core.RuntimeFeatureFlag deny_at_disable = 11;
      Returns:
      Whether the denyAtDisable field is set.

    • getDenyAtDisable

      RuntimeFeatureFlag getDenyAtDisable()
       Specifies whether to deny the requests, when the filter is disabled.
 If :ref:`runtime_key <envoy_api_field_core.RuntimeFeatureFlag.runtime_key>` is specified,
 Envoy will lookup the runtime key to determine whether to deny request for
 filter protected path at filter disabling. If filter is disabled in
 typed_per_filter_config for the path, requests will not be denied.

 If this field is not specified, all requests will be allowed when disabled.
      .envoy.api.v2.core.RuntimeFeatureFlag deny_at_disable = 11;
      Returns:
      The denyAtDisable.

    • getDenyAtDisableOrBuilder

      RuntimeFeatureFlagOrBuilder getDenyAtDisableOrBuilder()
       Specifies whether to deny the requests, when the filter is disabled.
 If :ref:`runtime_key <envoy_api_field_core.RuntimeFeatureFlag.runtime_key>` is specified,
 Envoy will lookup the runtime key to determine whether to deny request for
 filter protected path at filter disabling. If filter is disabled in
 typed_per_filter_config for the path, requests will not be denied.

 If this field is not specified, all requests will be allowed when disabled.
      .envoy.api.v2.core.RuntimeFeatureFlag deny_at_disable = 11;

    • getIncludePeerCertificate

      boolean getIncludePeerCertificate()
       Specifies if the peer certificate is sent to the external service.

 When this field is true, Envoy will include the peer X.509 certificate, if available, in the
 :ref:`certificate<envoy_api_field_service.auth.v2.AttributeContext.Peer.certificate>`.
      bool include_peer_certificate = 10;
      Returns:
      The includePeerCertificate.

    • getServicesCase

      ExtAuthz.ServicesCase getServicesCase()